154 comments

[ 1.8 ms ] story [ 74.3 ms ] thread
Given LulzSec seems to post their hacks on twitter, that there's no way of validating who posted the PasteBin item and that the Office of National Statistics hasn't reported the loss, its probably best to wait and see something a little more convincing.
I haven't seen "Census" mentioned in their twitter feed (yet), so as far as I know the only source is a bit of anonymous text on pastebin. Anyone could put that there.
They are mentioning something they've got though, in similar language to the pastebin. I think it unlikely they'd have managed to acquire the full census, but I think it's probably quite possible they've got ones submitted online.
I wrote the article and have been trying to trace the authenticity of the release. I am still waiting to hear back from the Office of National Statistics, which at the time were unaware of who LulzSec even were.

I contacted them a little over two hours ago, I haven't received a response, yet.

Knowing a little of the internals of ONS...

It may take them a while to figure out what a "computer" is and how it might be "hacked". You could be waiting some time :)

ahem.

(comment deleted)
It also has the Bethesda and US senate links in the end, making this look more like copy-paste of an older release. This is inconclusive though since the real LulzSec might copy paste from an older release to get all the ascii art.
Yes, also the phone number is wrong. That number doesn't work anymore.
I've wondered how many individuals and groups out there post things in the name of other security groups to distract attention from (or direct it toward) themselves. Maybe everyone should start signing their releases with a private key.
Full statement:

We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this. The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have noevidence to suggest that any such compromise has occurred.

This was the first census where you could submit details online. I wonder if it was these records? Would be surprised if they had even finished scanning the paper ones yet, but the UK governments security record is not good. They contracted it to Lockheed Martin, who also do the US census, so presumably reused the software?
In all likelihood it was probably compromised through some other means than the software. I'm sure the software got a lot of attention in terms of security but surrounding systems were neglected.
I wonder if they are using the same (undocumented) exploit for each of these attacks.

I am certainly no expert in this field, but I would have thought discovering new exploits and security holes would take time, yet these guys are hitting several major sites a week.

From what I understand, their main tool is simple SQL injection.

Most websites seem to have at least one XSS or SQL injection hole. Nearly all have CSRF flaws.

Still, census data should not be accessible from a public facing web site. That's just amateur hour. You should really assume that anything with a POST form is vulnerable.
well its got to go in somehow, perhaps a facade that exposes only preparedstatements procs could have prevented this, but equally perhaps they exploited the facade, the transport mechanism to the facade, the db driver..... who knows, what is known is that theres a path, however narrow
No, they should have processed the data on a secure network, then burnt CDs with the final results.

That's how Australia treats important (Top Secret classified) data. I don't know how classified our census is, it should be treated with a bit of respect.

Agreed. Any submitted data should have been immediately encrypted with a public key who's companion private key was stored offline. It should have then been immediately transferred to a secondary box which was setup with a single function of accepting and storing the data. Ie a box which you can't query over the network for data.

As soon as the census closed, the relevant boxes should have been taken offline. The data moved to a "secure" location, and the original boxes wiped and destroyed.

Considering the data that was being collected, I don't think this is overkill.

If this is true then I am suing Lockheed Martin under the Data Protection Act.
There's jurisdiction for that?
If their servers have been compromised to leak the data, should be. They ran the survey and UK and European data protection law makes data leaks the responsibility of the data holder.
Yes, they will probably be the information controller under the DPA and have to be extreamlly careful that our data is safe. Even keeping a copy in a non EU country is very hard.
Why would jurisdiction enter into someone in the UK suing the company that processed the UK census data? Thier data. I don't know if antihero is in the UK, but if they aren't, people in the UK should do it instead. I am disturbed that my data could leak like this.
I'm in the UK and for some crazy reason filled out my census correctly, so yeah, I think there's grounds for DPI lawsuit action.
Well, the crazy reason is the threatened fine of up to £1000.
I didn't fill mine in, whoops
As you would expect, there is a legal entity for Lockheed Martin in the UK. Unless there is some crazy immunity for companies working on government contracts (which wouldn't surprise me) I don't see why they couldn't be sued.
If true, this will be a massive coup and regardless of how they obtained the records, LulzSec will get all of the significant negative attention they so badly crave.

I submitted my census info via the online form and given the amount of detail I included I would be terrified if that info was leaked.

Imagining that the release is true, this will do strange things for pay bargaining. Imagine if you could look up your colleagues before asking for a rise? On the other hand, I don't recall anything really horrific on that form. Enough data to steal my identity and take out a mortgage in my name, yes. Enough to embarrass me? no...
I don't remember salary being requested on the UK census...
It did ask for the household annual income. It also asks for the job title of the various householders so with a small bit of market info you could easily discern who earns what. Regardless, salary info would be the least of my concerns.
You're right. I must have been confusing it with the litany of forms & processes I went through after our son was born. Good find.
Q34-40

Job title, Occupation, Employees managed.

You didn't look very well ;0)>

I remember particularly as this sort of question is hard for me as I don't really have a job title, my occupation is extremely varied.

And what is exactly that is of your concern?
I can easily imagine looking up my colleagues salary, because here in Norway you actually can. (Well, you can look at how much tax they pay, and various websites convert that into an estimated salary)

I don't find it particularly interesting, though. People earn around what you expect them to earn.

Why would you be terrified? There isn't that much information on the census form - name, age, address, nationality and employer, roughly.
It includes information on income and health, those are the really nasty bits to have leaked as far as I can remember.

Apart from the obvious ID theft risk.

Name and DoB of everyone in a household alone can make it much easier for someone to pose as you to say a credit card company.
Aren't these already in public records in the form of birth certificates and, if you own property, the title deeds?
I don't like where this is going.
Whats worrying about the apparent proliferation of security breaches like this is that as the attacks get more sophisticated, so do the prevention methods. This could get to the point whereby the skill level required to protect an application or server goes way higher than the skill level of many developers.

The result being that independent development is impossible as you would need to hire ever more expensive security consultants for anything that stores data.

In my experience the expense of a security consultant is rarely correlated with their skill level.
But aren't they using pretty old exploits, SQL injections and DDoS?
"This could get to the point whereby the skill level required to protect an application or server goes way higher than the skill level of many developers."

We reached that point quite a while ago. What we are seeing now is the result of that point being reached, without anyone realising at the time.

I was thinking more in terms of reactions. Governments rarely admit their own faults and weaknesses. They will react claiming computer terrorists must be stopped now and that more control on the Internet is needed to protect everybody.
More likely that common development tools and frameworks will become much more intrinsically security conscious.
I understand your point (it is potentially true for more than just the security domain of application development) but I think your premise in this case is false. SQLI (XSS, CSRF, ...) attacks are neither sophisticated nor new. SQLI has been known since at least 1998 (Phrack 54).

SQLI protection at least should be abstracted away from the developer's concerns by use of default parametrized queries. Technical difficulty is not the problem here.

Surely Web frameworks do a lot to help solve this. Im sure django isnt't perfect; but its more secure than anything I could do.
With the amount of hacking that is flooding the news recently, I would like to learn about database security. What are some good books/tutorials/videos on how to make databases more secure?
SQL injections seem to be the prominent exploit by them.

Not in any order of popularity:

1. Brute-force (or not) cracking of weak or default usernames/passwords

2. Privilege escalation

3. Exploiting unused and unnecessary database services and functionality

4. Targeting unpatched database vulnerabilities

5. SQL injection

6. Stolen backup (unencrypted) tapes

http://mobile.darkreading.com/9289/show/8506121498da7d8ae483...

I believe that most databases are secure, especially the open source ones.

What you should be careful about is the things surrounding the database: the .php files (or whatever) that read/write the database, and the system it is running on.

Basic security practice for the web: NEVER trust user input: check and recheck all the GET/POST variables, check that numbers are numbers, that strings are correct strings (they have no funny characters, such as " or ; (for databases) or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to prevent SQL injections) and all output for to the user (for XSS).

Basic security practice for sysadmins: Use up-to-date OS and software. Use strong passwords. Almost never run root. Make remote access hard.

This seems easy, and for the most part, it is. It's just so many things that people forget to check for them all.

Yes, let's secure our databases against O'Reillys and AT&Ts submitting their funny names! <g>

It's not characters that get you, it's lack of escaping or escaping for the wrong context (e.g. magic_quotes won't work for HTML)

• For SQL use prepared statements exclusively (never let "oh, it's just a number so I don't need to" fool you)

• Escaping doesn't differ between "trusted" and "untrusted" data (and these boundaries are too easy to break eventually).

Just escape everything, always. In PHP it means every `echo $var` is a likely vulnerability and `echo htmlspecialchars($var, ENT_QUOTES)` (in HTML except script) or `json_encode($var)` (in script) is a must.

Obviously, you should do defense in depth, so input validation is great and some filtering just-in-case may be warranted, but escaping alone (assuming done well) is sufficient for security, while filtering alone is not.

> For SQL use prepared statements exclusively (never let "oh, it's just a number so I don't need to" fool you)

I cannot vote this up enough. Also, depending on what database you are using (eg Oracle) if you don't use prepared statements (aka bind variables) you are guarantee killing your DB performance.

People have argued with me in the past that for things like sorting the data they cannot use bind variables. In that case, use the user input to select which safe string to use, eg:

    if user_select_sort == 'by_account_num'
      return 'order by account_num asc'
    elsif user_select_sort == 'by_transaction_date'
      return 'order by transaction_date'
    else 
      return ''
    end if
Then if someone sends in something tricky, it will just order wrong.
On the other hand some uses of bind variables can kill performance: http://www.dbspecialists.com/specialists/specialist2003-11.h...
Well, yes, but only when your data is skewed in general. Tom Kyte gives a 1 - 2 hour presentation about bind variables, bind variable peeking, overbinding, SQL Injection, parsing etc - great stuff if you are an Oracle guy and can get to one of this seminars.
The way I write software, such values of user_select_sort would never even be possible... It's much slower to compare strings than to compare numbers, and passing long descriptive values that are actually booleans or short enums is just a waste of bandwidth (assuming they are passed as GET/POST variables).

Why not just pass numbers instead?

Numbers or strings wasn't the point really. You can do 'order by 1' or 'order by 2' in SQL to order by the first or second selected col etc, but if you used used the number passed directly from the user in the SQL statement, you are open to SQL injection. Feel free to use the number in a case statement to select the order by string to concat into your SQL however.
Another obvious weak point is not controlling access to copies of production databases. Developers getting access to copies of production databases full of personal info is terrifying, and yet not uncommon.
They're going to piss a lot of people off if they do this. Like every single UK citizen.

Exposing security flaws and embarrassing govt is one thing, but to put un-redacted personal data online is quite another.

er... I dont think they care, its for the Lulz.... apparently :-\",
If you read the article or the pastebin:

We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release)

So, given they really arer LulzSec, they are hinting that they won't publish the data un-redacted.

Or they're just literally formatting it for organization and readability. They've released damaging info before on innocent users.
If this is true (and it seems it's probably not) then the people to get angry with are the UK government and their contractors Lockheed-Martin. WTF are we using a US-based company for anyway?
Presumably they put it out for tender and got the best package that they could.

Isn't that what we'd expect a Government to do? Tender jobs out to the private sector and choose the provider that offers the best value for money?

It's not as if Lockheed Martin are a particularly insecure or untrustworthy company to hold private data.

LM have a terrible reputation. Google around.
Is there any Government IT contractor that doesn't have a terrible reputation?

Government contracts are a pain to do. Most of the work is in jumping through hoops rather than actually doing the work. Most (all?) competent companies avoid Government work for this reason, making it very difficult to get any Government IT work done well.

That is a fair point.

I've always thought that the government should have their own IT agency. The NHS would do well to fire all the paid up consultants and commercial software and start a Google-style technology cooperative and share their results to other agencies. The NHS has the biggest IT problem of all and with the right minds on the job we'd have massive progress in the organisation and some serious advances in computer science to boot.

Whilst yes the UK govt and/or LM are to be criticised for their lack of security, LulzSec or whoever don't need to actually go post all the data for the world to see. If they want to prove they've done it post re-dected samples. It's childish, self-defeating and insanely irresponsible to publish them.
Supposedly, census data should be anonymous. This means the records should be anonymized as soon as possible and should not just be stored.
It can't be totally anonymous, otherwise there's no way of enforcing the legal requirement to complete it.

Each census form had a unique ID, which is obviously linked to your address as it was sent to you through the post.

The answers can be hashed in many ways to ensure anonymity.
So what's the worst possible outcome here in terms of the UK government's reactions? Fast-tracked arcane legislation to make security tools illegal like they are in .de ? Broadening the terms of hacking and increasing the legal penalties? If LulzSec aren't trolling the world and they do indeed have these records I would imagine there is going to be one hell of a shitstorm in the coming weeks.
It would be just another excuse to get the Internet ID implemented. MAFIAA has been pushing for Internet ID since years now and a number of politicians are in favour. Must admit that every time I read about the latest Lulsec activity I cannot help but think that MAFIAA is behind all this.
I'd say the opposite will happen. The government will not be able to set up anything which requires a massive secure database for quite a few years. Every time they claim they can set up a secure database, the 2011 census leak will be brought up.
If they will implement the Internet ID in the same way as they implement their current security (assuming the leak is real), then there is no need to worry...
I don't think so, this is the government that wants to pass the Freedom Bill: http://freedom.libdems.org.uk/
Hilariously, that url returns "403 forbidden."

Google doesn't seem to return anything on that domain.

Here's the text of the freedom bill:

http://www.libdems.org.uk/siteFiles/resources/PDF/The_Freedo...

Seems pretty nice. I dread to think what they'll have to trade the tories for it though.

Don't forget that Teresa May's first act when the Tories won the election was to scrap national ID cards and order the database destroyed.
How about holding the companies who were supposed to secure the data fully accountable?
"Biggest" only for the media coverage this could get, i would not be surprised if they had exploited a common vulnerability. At least when we are discussing about publicly accessible sites, "security-illiterate" is the perfect definition for these government agencies (and the external companies that realize the sites they need).

Will this kind of things make the general public at least a bit more security conscious?

There'll be some interesting mashups if this is true.
What info from the census would enable someone to steal an identity? From the looks of it there's only DoB and address in terms of personal info...
Childrens names & DoB, previous addresses, employment status, national insurance number. That info alone is enough for someone experienced to do damage.
Isn't that info relatively easy to obtain from most people anyway? Not on such a large scale of course.
You can obtain that sort of info, by dumpster diving say, but not in anything like the scale.

Imagine that you can get this info and a pretty good idea of salary and lifestyle by running a db search in a few seconds. You can easily focus your attention on the most lucrative propositions and get info from even those that are careful to not put such info out there. Census completion is a legal requirement, everyone should be on one.

Essentially if every person in the UK was open to identity theft then this would be an extremely serious issue. Which it could be.
(comment deleted)
of interest [edit, arrest link below]:

http://twitter.com/#!/channel4news/status/83129762142363649

19-year-old suspected of being mastermind behind computer hacking group LulzSec arrested in Wickford, Essex. #c4news

(comment deleted)
This whole escalating security situation has me thinking that IT security is heading down the same path as the War On Drugs. I wonder if ten or twenty years from now we'll see petitions to legalize hacking tools after we see a resurgence in security breaches following the criminalization of "hacking tools"...
(comment deleted)
I'm leaning toward "hoax." Lulzsec has been reasonably competent writers so far, and the bizarre placement of "blissfully" makes that either incompetent or some kind of steganography. That, added to the lack of tweet, makes me doubt.

Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.

The writing style does seem different, sentences in this release aren't terminated in some cases, whereas those from officially corroborated releases always are.
Also according to their twitter the number listed in the pastebin has been suspended, and they have a new one (not in the pastebin).
Why can't anyone bother to sign their press releases, it's not like it's the 60s.
Plausible deniability? (assuming you meant to cryptographically sign the press releases.)
Such a shame.

Anonymous had a lot of support for their attacks on Mastercard et. al. People, not just the programmers demographic, were seeing them as civil disobedience through the internet and hailing them for taking a right cause, namely against dirty, probably unconstitutional, certainly unethical attacks on wikileaks by numerous powerful groups.

What's more, anonymous was seen as more powerful than such groups on the internet arena. It was felt that such powerful groups would thus think twice and know that they are against probably smarter people, perhaps even their own employees. Alas, like actual physical protests, they did not manage to change much. Wikileaks has almost been forgotten now. Julian has gone quite. The organisation itself seems to have become divided and disorganised. They possibly are buying time. But the power that be has shown us that they have the resources, are willing to play, publicly, dirty tricks, and can even withstand a public opinion quite strongly against them.

Julian has been given some outstanding honour in journalism. He might even win the Peace prize for what some say was the effect of wikileaks on bringing about the Arab Spring. That may show that there are many powerful avenues to resist and/or push back the power that be.

All of that is being undermined for no apparent reason whatever. Although Lulzec might be trying to send a signal to the power that be. We are stronger. We are smarter. You need to know that before thinking again about doing dirty tricks. They don't seem to be able or willing to choose their targets well to send such a message. Showing that you can for example steal the census data in order to increase the security of organisations which deal with our data is like a man showing that he can steal a car by so breaking into the car and stealing it.

We can all commit crimes. We choose not to for very good reasons. Some things can not be fortified and turned into castles. And even castles can be brought down.

So the ultimate effect is that anonymous is painted with the same brush. As petty criminals bringing havoc into the streets of the neighbourhood by breaking car windows to show us that they can so break car windows.

For now, anonymous still has the upper moral ground. That is for now. By for now I mean for the next few days or weeks. The report for example that a member of lulzsec has been arrested who has connections with anonymous helps tremendously in blurring the lines between anonymous and lulsec.

The blurring means nothing more nor less than the excuse and the swaying of the public opinion that the power that be needs to go after anonymous and send a clear signal. You may be smarter but we have more resources and more avenues and the consequences you face are much greater.

The biggest signal that the power that be may send however is that they are able to control the public opinion by playing tricks. I think we all remember how last year we were talking about how the power that be is going to deal with wikileaks. The conversations that were had here on hackernews are probably still accessible through searching. Killing him seemed to be the most mentioned option, but quickly refuted by others. Now, it may be a strong statement to make seeing as I have no evidence whatever, but the information that did come out in regards to the two women, the fact that Assange is still here in Britain almost a year after, that he is actually free, suggests that tainting him with rape accusations was their choice. As we are seeing, it seems to have worked.

Equally, I do not know who lulzecs is. They have no motive, no reason, to do what they are doing. They are intelligent. Thus I doubt they would risk years in prison to just show that they can break a car. People do not tend to do things for no reason, especially if there are great consequences.

There is no laughter to be had of say having access to a lot of information of sonny users. Nor is there any lulz in having say the information of the census.

I therefore think that there is a probability ...

Just so we're clear, you're suggesting that LulzSec is actually a front group for Sophos or maybe Mastercard?

That seems fantastically unlikely.

Give me a break. There are no ideals, and it's not a conspiracy. It's just a bunch of trolls on summer vacation. They are doing it because they don't really care to consider consequences when they choose to do something. Mystery solved by Occam's Razor.

If you didn't know that lots of people like to do mean, pointless things all day for no reason, then welcome to 4chan, you may or may not enjoy your stay.

I thought the actions of anonymous did have ideals. They were protecting free speech through disobedience.

I've seen 4 chan. Its no more than the corner teenagers playing around. They may once in a while break a window, or inconvenience some person, but they do not go to steal banks, or hit a police officer. All that is metaphors obviously, perhaps imperfect metaphors.

All I am saying is that I, we, do not know who or what Lulsecs is. Anonymous is everyone. You can apparently just enlist your computer towards some action. Lulzsecs is who?

Considering what happened to wikileaks why is there no probability, though slight, that it may be some dirty trick?

For example, anonymous is everyone right? Yet this guy who has been arrested, the "lulzsec mastermind", is apparently someone who has connections with anonymous.

Moreover, since lulzec appears to logically have no motive to take such a grave risk, as shown by someone who just got arrested individual and may possibly rot in jail, but many groups have an interest to get rid of anonymous, thus would want to blur the lines and sway the public opinion, I think there is at least some probability that they have been either corrupted or are affiliated.

I'd rather keep an open mind. We'll probably learn much more once this Lulzsec guy goes to trial, hopefully here in Britain, rather than extradited to some extrajurisdictional American prison, or offered a job in some company.

- 4channers have been sitting around DDOSing and defacing websites recreationally for years. The only difference here is that the websites are big organizations instead of some poor dude's message board or personal site, and that might seem like a big difference to you, but I don't think it seems like a big difference to the folks involved.

- I don't know what the mystery is here about "who or what Lulzsec is" or about "Anonymous is everyone." It's a bunch of teenagers on IRC, not a shadowy order of the shadows. It's pretty much the same guys every time, with people popping in and out.

- What does this have to do with Wikileaks, even tangentially? The fact that it's on a computer and the government doesn't like it?

- It's surprising that LulzSec has "connections" with Anonymous? The name of their group is "LulzSec" and their Twitter mascot is the 4chan monocle guy! Where did you think they came from, thin air?

This whole thing looks so completely ordinary to me that I don't see any reason to postulate foul play.

Mystery solved by Occam's Razor.

Why do people insist on saying this? Yes, it might be the most likely reason, but Occam's Razor is not a law. It's more of a saying. Why are people repeating it as if it is always true?

I'm using it as a shorthand for: "Here is a perfectly reasonable explanation that fits the facts. The other given explanation requires the conjunction of multiple unlikely things and I see no evidence favoring it. I believe the other explanation is sufficiently unlikely that there's not much point speculating about it."
There are no ideals, and it's not a conspiracy.

That's the impression I have of a lot of contemporary political and business interests: "There are no ideals, and it's not a conspiracy. It's just business." Some do it for the lulz. Some do it for the bottom line.

LulzSec's tactics may be callous or juvenile, but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel. When I pause to consider that I'm doing pretty well, all things considered, I can imagine the deeper chord they strike with others.

but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel.

I've been curious about this feeling as it certainly seems to me that you're not alone. What is it that they've done that makes them hit a chord with you? What I see when I look at lulzsec is mostly behvior that hurts a random collection of common people - like dropping emails, hashes, personal info of people who just happened to be unlucky enough to make an account with one of their many targets. Or DDOS on small indie software developers to prevent their customers from playing their games for a bit. Are you disenchanted with gamers and people who sign up for a book forum and such?

I totally understand the appeal of the Anonymous DDOS's and HB Gary hack for example, so the whole thing isn't lost on me. But I just find lulzsec idiotic and grating.

I think that if there's an overriding principle behind it, you could say the principle is this:

The world is full of crazy laws and arbitrary rules which are frequently both boring and harmful. The only reasonable laws are ones that are purposeful and enforceable. If a law is stupid or if you can't enforce the law, we will break it at our whimsy, and if you don't like it, then you're the one that should change somehow, because anyone else could and probably should go break it too.

You could say that this is the grow-a-thicker-skin Internet philosophy. It's an idea that is appealing if you're young, moderately intelligent and computer-savvy, because your life has probably been filled with really stupid rules that are totally pointless and/or completely unenforceable, and you have no idea how to fix it, and you have probably never been on the other end of things.

What is it that they've done that makes them hit a chord with you?

As an American, I have a demoralizing sense that the country has given up on doing great things and, more specifically, turned its back on underdogs. I could make a more detailed case, starting with my view of human nature and extending to the latest Supreme Court decisions and the drivel I see nosing around Twitter and Facebook, but that would be sort of beside the point here.

Why gamers and book forum readers? I don't have anything against them personally and I agree there are probably more suitable targets. At the same time, obsessive game-players and score-keeping book-readers offer an obvious illustration for the kind of obliviousness and escapism that I can find symptomatic of larger social problems.

I suspect Lulzsec owes part of its style to The Joker from the last Batman movie. Remember that scene when the Joker lights the pile of money on fire? I agree Anonymous is a more constructive example of civil disobedience. But Lulzsec, in its aimlessness, may be the more potent symbol. I see it as a form of satire as much as anything.

Would my attitude would change if, say, they deleted my gmail account? Probably. But then maybe there would be something constructive in that, too.

Thanks for taking the time to respond.

I was thinking of saying something along the lines of I'd be surprised if they view their own actions so introspectively. Perhaps comparing it to the classic english teacher interpreting meaning behind a work for he class that the author never intended.

But I suppose it really doesn't matter - if people get something from a work it really makes no difference if the intent was there with the creation.

I agree. I expect their actions are not introspective but reactionary. Nevertheless, I think there's a logic behind them consistent with the sort explored by behavioral economists.
Doesn't seem too different than the usual teenage hubris. Kids think adults are boring on purpose and try to disrupt the social order to make life more interesting. They don't realize order and a good life is actually quite hard to maintain, and a bit of boring is the cost of living well.
Again, LulzSec is not Anonymous nor do they speak for them.
According to their Twitter, they haven't hacked the Census. Seems like someone was spreading false information...

See:

https://twitter.com/#!/LulzSec/status/83168314527981568

https://twitter.com/#!/LulzSec/status/83167715799470080

EDIT:

Those tweets were deleted. Here's the official word:

"Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first."

https://twitter.com/#!/LulzSec/status/83172089711964161

I wonder how long it will take before someone compromises their Twitter account.
When you post a tweet, how much information does twitter have about you? An IP adress, what platform you use, etc.

I'm just curious, because Lulzsec posts frequently and I wonder if law enforcement could subpoena twitter in attempts to catch these people.

I'm sure they aren't connecting to twitter directly.
During the 'hunt' for Wikileaks the U.S. has subpoenaed Twitter for info about supposed supporters.[1] In the case of Lulzsec this will have very little use though, as they use VPN's to hide their IP [2].

[1] http://www.wired.com/threatlevel/2011/01/twitter/

[2] http://lulzsecexposed.blogspot.com/2011/06/scared-puppies.ht...

they use VPN's to hide their IP

The FBI routinely uses software exploits to install something called CIPAV on the remote client computer to retrieve forensics data and negate the effect of proxies, vpns, tor, etc.

http://www.wired.com/threatlevel/2007/07/fbi-spyware-how/

Twitter almost assuredly has the ability to push a custom iframe or similar based on who is logged on to support these kinds of government payloads. In the case the wired article references myspace directly assisted.

Surely being more security paranoid than usual should make it harder for an attack like this to succeed, but if the feds get pissed enough it's not unthinkable that they could get access to a targeted zero day to use.

It's pretty much useless if the tunnel is on another machine and/or it's firewalled properly.
It's no secret that the @lulzsec account is controlled by former Anonymous spokesperson Topiary (http://twitter.com/atopiary), whose identity is not publicly known, though it has been anonymously claimed that he or she is Daniel Ackerman Sandberg.
atopiary: "Dear press: I have Russian launch codes, motherfuckers. Come at me bro. I will blow your asses out of the sky you fuckers." lol